A new threat to your wallet has been detected. Researchers have reported a new point of sale (PoS) malware dubbed as PinkKite. If you are not familiar with the PoS cyber attacks, they are meant to steal your credit card information by reading the device memory from the retail checkout point of sale system. Even though the new PinkKite is small in size, this does not mean that it is incapable of commencing severe malware campaigns. In this article, we will reveal everything about the new PoS malware and its features.
PinkKite is tiny, but can start very severe PoS attacks
The malware was detected by Kroll Cyber Security researchers. PinkKite is smaller than 6k, but mostly all PoS malware threats are tiny. The fact that its size is so small makes it easy for the malware to remain undetected. This is a very common feature that hackers use to keep their victims clueless of the danger they are in. PinkKite uses its tiny footprint to remain evasive, but researchers managed to detect it, but only after months of PinkKite being active.
How was this malware caught? Well, one of the victims of PinkKite malware contacted Kroll security team and reported that one of their client’s credit card information was being offered on the black market. Since many companies might have become victims of the PinkKite attack, thousands of their clients might be in danger. The creators of the PoS malware might not be using the gathered credit card information, but selling this stolen data.
More details about the PinkKit malware
Finders of PinkKite malware have been identified by their names: Courtney Dayter and Matt Bromiley. According to one of the specialists, the detected threat is different from other infections from the PoS malware category. It has unique built-in persistence mechanisms, hard-coded double-XOR encryption and backend infrastructure. Before the gathered credit card information is sent to hackers’ C2 servers, PinkKite actually uses 3 depots (in Netherlands, Korea and Canada).
PinkKite malware is evasive in another way: its main executable pretends to be a legitimate Windows program named svchost.exe, AG.exe or ctfmon.exe. After the credit card data is gathered, the malware will use a Lurin algorithm to validate this information. To be even more secretive, PinkKite exploits double-XOR encryption, and it also stores the credit card information in compressed files.
Researchers have not made any statements about the possible creators of PinkKite malware. It appears that the infection mostly targets companies and exploits their targets’ network environment for the distribution. To be more specific, the PinkKite malware is transmitted using PsExec.
Source: threatpost.com.
